Firefox Vulnerable to Man In The Middle Attack

[Omnipotent]

A critical vulnerability resides in the fully-patched version of the Mozilla's Firefox browser that could allow well-resourced attackers to launch man-in-the-middle (MITM) impersonation attacks and also affects the Tor anonymity network.

The Tor Project patched the issue in the browser's HTTPS certificate pinning system on Friday with the release of its Tor Browser version 6.0.5, while Mozilla still has to patch the critical flaw in Firefox.

Attackers can deliver Fake Tor and Firefox Add-on Updates

The vulnerability could allow a man-in-the-middle attacker who is able to obtain a forged certificate for addons.mozilla.org to impersonate Mozilla servers and as a result, deliver a malicious update for NoScript, HTTPS Everywhere or other Firefox extensions installed on a targeted computer.
"This could lead to arbitrary code execution [vulnerability]," Tor officials warned in an advisory. "Moreover, other built-in certificate pinnings are affected as well."Although it would be challenging to obtain a fraudulent certificate for addons.mozilla.org from any one of several hundred Firefox-trusted certificate authorities (CAs), it is within reach of powerful nation states attackers.

The vulnerability was initially discovered Tuesday by a security expert that goes by the name of @movrcx, who described the attacks against Tor, estimating attackers would need US$100,000 to launch the multi-platform attacks.

Actual Issue resides in Firefox's Certificate Pinning Procedure

However, according to a report posted Thursday by independent security researcher Ryan Duff, this issue also affects Firefox stable versions, although a nightly build version rolled out on September 4 is not susceptible.

Duff said the actual problem resides in Firefox's custom method for handling "Certificate Pinning," which is different from the IETF-approved HPKP (HTTP Public Key Pinning) standard.

Certificate Pinning is an HTTPS feature that makes sure the user's browser accepts only a specific certificate key for a particular domain or subdomain and rejects all others, preventing the user from being a victim of an attack made by spoofing the SSL certs.

While not very popular, HPKP standard is often used on websites that handle sensitive information.
"Firefox uses its own static key pinning method for its own Mozilla certifications instead of using HPKP," says Duff. "The enforcement of the static method appears to be much weaker than the HPKP method and is flawed to the point that it is bypassable in this attack scenario."Mozilla is scheduled to release Firefox 49 on September 20, so the team has enough time to deliver a fix. The Tor Project took just one day to address the flaw after the bug's disclosure went online.

Users of Tor Browser should update to version 6.0.5, while Firefox users should disable automatic add-on updates, a default feature in the browser, or should consider using a different browser until Mozilla releases the update.

 

[frogboy]

Thanks for the heads up just switched over from Cyberfox to Slimjet for a bit until this is rectified.

 

[omidomi]

same as : Firefox, Tor Browser Vulnerable to Malicious Add-on Attacks | SecurityWeek.Com
A vulnerability related to certificate pinning allows sophisticated threat actors to compromise the systems of Tor Browser and Firefox users via man-in-the-middle (MitM) attacks and malicious add-ons.

Firefox automatically updates installed add-ons over an HTTPS connection. In order to prevent MitM attacks that leverage misissued certificates, Mozilla also uses a form of certificate pinning.

The problem is that Mozilla does not use the typical HTTP Public Key Pinning (HPKP) and a flaw in its own process has led to pinning for add-on updates becoming ineffective since the launch of Firefox 48 on September 10 and Firefox ESR 45.3.0 on September 3.

Since certificate pinning is not efficient, an MitM attacker who can obtain a certificate for addons.mozilla.org by hacking or tricking a certificate authority (CA) can replace legitimate updates sent to Firefox users with rogue versions. This can lead to arbitrary code execution on the targeted system with no user interaction.

The vulnerability also affects the Tor Browser, which is based on Firefox. The Tor Browser is particularly susceptible considering that, unlike Firefox, which might not have any add-ons installed, it comes with the HTTPS Everywhere and NoScript add-ons preinstalled.

The issue was first brought to light by a researcher who uses the online moniker “movrcx” on September 13. The expert warned that a sophisticated threat actor, such as a nation state or a criminal organization, could leverage a certificate pinning issue to launch mass attacks against Tor users. Movrcx estimated that launching these types of mass attacks would cost an attacker roughly $100,000.

The theoretical attack scenario described by Movrcx was initially “mocked as non-credible” by representatives of the Tor Project. However, a few days after Movrcx’s disclosure, researcher Ryan Duff confirmed that the attack worked against both Firefox and the Tor Browser, and detailed the root cause of the issue.

The Tor Project has already addressed the vulnerability on Friday with the release of Tor Browser 6.0.5. Mozilla has promised to patch the flaw on Tuesday, September 20, with a Firefox security update.

“We are not presently aware of any evidence that such malicious certificates exist in the wild and obtaining one would require hacking or compelling a Certificate Authority. However, this might still be a concern for Tor users who are trying to stay safe from state-sponsored attacks,” explained Selena Deckelmann, senior manager of security engineering at Mozilla.